Analysis
-
max time kernel
123s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-11-2020 18:03
Static task
static1
Behavioral task
behavioral1
Sample
d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe
Resource
win10v20201028
General
-
Target
d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe
-
Size
1.8MB
-
MD5
14e426e40efb41c9ee647ff8eeb8d3f8
-
SHA1
be7f2bd1b71af40cfb29320c843ef272701f1b67
-
SHA256
d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124
-
SHA512
9210b53bea9e2ff975aa8ee3ed2eb79234a9fba68dade923950b0b8ed6ed1a2976f6d9e6b5aec39132be823ff980177949311e1ebab9529e7d5d56512b502884
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp7za.exepid process 692 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp 2824 7za.exe -
Loads dropped DLL 1 IoCs
Processes:
d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmppid process 692 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\is-EL84D.tmp\idp.dll js -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2520 taskkill.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmppid process 692 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp 692 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
taskkill.exe7za.exedescription pid process Token: SeDebugPrivilege 2520 taskkill.exe Token: SeRestorePrivilege 2824 7za.exe Token: 35 2824 7za.exe Token: SeSecurityPrivilege 2824 7za.exe Token: SeSecurityPrivilege 2824 7za.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmppid process 692 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exed92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmpdescription pid process target process PID 980 wrote to memory of 692 980 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp PID 980 wrote to memory of 692 980 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp PID 980 wrote to memory of 692 980 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp PID 692 wrote to memory of 2520 692 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp taskkill.exe PID 692 wrote to memory of 2520 692 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp taskkill.exe PID 692 wrote to memory of 2520 692 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp taskkill.exe PID 692 wrote to memory of 2696 692 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp cscript.exe PID 692 wrote to memory of 2696 692 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp cscript.exe PID 692 wrote to memory of 3020 692 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp schtasks.exe PID 692 wrote to memory of 3020 692 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp schtasks.exe PID 692 wrote to memory of 3020 692 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp schtasks.exe PID 692 wrote to memory of 2824 692 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp 7za.exe PID 692 wrote to memory of 2824 692 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp 7za.exe PID 692 wrote to memory of 2824 692 d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp 7za.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe"C:\Users\Admin\AppData\Local\Temp\d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-GE9QH.tmp\d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp"C:\Users\Admin\AppData\Local\Temp\is-GE9QH.tmp\d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmp" /SL5="$20120,1194311,780288,C:\Users\Admin\AppData\Local\Temp\d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exe"taskkill" /F /im Vkotnakate_DJ.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cscript.exe"cscript.exe" C:\Users\Admin\AppData\Local\Temp\is-EL84D.tmp\info.js3⤵
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN VKDJ /SC ONLOGON /TR "C:\ProgramData\VkontakateDJ\Vkotnakate_DJ.exe /H" /F /DELAY 0001:00 /RL HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\is-EL84D.tmp\7za.exe"C:\Users\Admin\AppData\Local\Temp\is-EL84D.tmp\7za.exe" e "C:\Users\Admin\AppData\Local\Temp\is-EL84D.tmp\5.10.zip" -pvkd -y -oC:\ProgramData\VkontakateDJ3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-EL84D.tmp\5.10.zipMD5
88461ea87a1eb08ea2728b980c410b21
SHA134a7775822195afdbb5ae79e220d0b6a84508318
SHA25628e04228aef6e577cb5f545579fa8d509cb3fdd6ab2f9ec308e4f2f2e49434e5
SHA512f06e4cb9f05eeb1c8add6b715fb5c105ab4166625c1ac6747477e2874b7d554de82afc574b2bf3a4202d621f8fb9888607a2dd7e05c3eaf39f67a168cfc2a6fd
-
C:\Users\Admin\AppData\Local\Temp\is-EL84D.tmp\7za.exeMD5
43141e85e7c36e31b52b22ab94d5e574
SHA1cfd7079a9b268d84b856dc668edbb9ab9ef35312
SHA256ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d
SHA5129119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc
-
C:\Users\Admin\AppData\Local\Temp\is-EL84D.tmp\info.jsMD5
ead0bf6ff4e3446ac39427cb3dffdc6e
SHA1037444fdb1c81c804034959980738a049bbbbcf7
SHA256d96634e77d01f0790758c72a76fd17ae1dcbafd719121fd0942826de2a5d1186
SHA51231dc3c2c38358f6e049a77c49b98f675562f172219df3cf62a6815af30af5f6a8188d3d49a328ce2af09e3c8438ccdc1bae0dd25e838494b7a09830e6eff337c
-
C:\Users\Admin\AppData\Local\Temp\is-GE9QH.tmp\d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmpMD5
ac2adb4621cccacbafc3f06e2b29016c
SHA1f9273150e00ae8513cbf741a67e4828e7c60f035
SHA2561fdc97cf3fb4e31d15ea487ca3974b18cda979418f57c7b827f3c7275184ef3e
SHA512f754b04e318786496444539023cdd143dc0990d27561a7afd2041830ba46cadec42cd159ec516ed1f478894f53f40dbda87954b2ee06ea2ddc2276419396c800
-
C:\Users\Admin\AppData\Local\Temp\is-GE9QH.tmp\d92ff294fd993c16a4bc8581e0a84fe361d714b75b87f812331231a35e7dc124.tmpMD5
ac2adb4621cccacbafc3f06e2b29016c
SHA1f9273150e00ae8513cbf741a67e4828e7c60f035
SHA2561fdc97cf3fb4e31d15ea487ca3974b18cda979418f57c7b827f3c7275184ef3e
SHA512f754b04e318786496444539023cdd143dc0990d27561a7afd2041830ba46cadec42cd159ec516ed1f478894f53f40dbda87954b2ee06ea2ddc2276419396c800
-
\Users\Admin\AppData\Local\Temp\is-EL84D.tmp\idp.dllMD5
55c310c0319260d798757557ab3bf636
SHA10892eb7ed31d8bb20a56c6835990749011a2d8de
SHA25654e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57
-
memory/692-0-0x0000000000000000-mapping.dmp
-
memory/2520-3-0x0000000000000000-mapping.dmp
-
memory/2696-5-0x0000000000000000-mapping.dmp
-
memory/2824-8-0x0000000000000000-mapping.dmp
-
memory/3020-7-0x0000000000000000-mapping.dmp